Ethereal

Re: [Ethereal-users] Sniffing for Viruses
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: November 2003

 

On Tuesday 04 Nov 2003 5:46 am, Nick Marques wrote:
> Hey can I use Ethereal to sniff for virus traffic on a network?? I can
> currently using the succession of ARP Requests from the same host to
> consecutive IPs as an indication of RPC works like Welchia. Is this method
> fool-proof.. what else might send out packets like that?? I ask because I
> am still seeing these packets on a system I know was patched and cleaned
> out.

No well-written network app. should send ARPs to succesive addresses at 
maximum rate, like the Welchia traffic I have seen.

I know of no network app. that needs to send out ARPs to successive addresses 
at all. Windows seems to send out the unnecessary ARP packets to well defined 
addresses, but nowhere near the same rate. Some network stacks send out ARPs 
for their own address as a way to check for duplicate IPs, but only once a 
minute at maximum.

> What are some other filters I can use for virus traffic??
SMTP traffic is probably a good indication for many of the modern worms. 
Especially on a network that runs Exchange.

-- 
Richard Urwin

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.